In this episode, we speak to Chris du Toit, My Credit Status' chief technology officer.
Chris explains the different safety measures we take when it comes to users' personal information.
In This Episode
[00:00] Welcome to the official podcast from mycreditstatus.co.za. We will be introducing you to credit experts who will be providing valuable insight and advice from your financial health to improving your credit status and score. Your host for the show is Laura Palmieri.
Laura: [00:19] Hello, and welcome to My Credit Status podcast. In today's social world we generate more data and share more online information than ever before, but how safe is our personal information, especially when we apply for a credit report. On today's show, we go behind the scenes of My Credit Status to find out what safety measures are in place. Is our personal information actually safe.
[00:45] It's my absolute pleasure to introduce Chris Du Toit, who's My Credit Status Chief Technology Officer. We often refer to Chris as our gatekeeper with over twenty years of experience with systems, we are definitely in good hands. Welcome Chris.
Chris: [01:01] Hi Laura.
Laura: [01:02] Okay, should we start it off? So Chris, can you briefly give us an overview of what type of systems My Credit Status has in place?
Chris: [01:12] Yes, sure. Well, My Credit Status is currently a reseller Credit Bureau, but we aim to provide more than just the normal credit report that you will receive from a credit bureau. We basically receive the data that we present from the main bureau and we expand on that giving clear explanations and tips for the users to improve their score, and we also provide additional services to our members in the form of online training videos, downloadable files, and so on.
Laura: [01:43] Okay, so basically as a reseller, what is the difference of a reseller?
Chris: [01:50] Well, we do not permanently store any credit data about the users. As a reseller we have the permission to retrieve the data from a registered Credit Bureau, one of the big ones that you have available in South Africa and we present that data to the customer and there after is removed from our systems.
Laura: [02:16] Okay, so that data is never stored on our system.
Chris: [02:20] It is only stored temporarily to give the user access, but it is also stored in an encrypted form so that nobody else can read or access the data. Only the user can access it and within forty eight hours we will remove the data from our system which also means that if the user wants to keep their credit report they will have to download or save the file, email it to themselves or some way to have a permanent record, because after that time has passed the data is removed from our systems. Also coming back to the difference between a reseller credit bureau and a full credit bureau, we cannot make any changes to the credit report data that we receive where a full credit bureau will get data from large companies and corporations that share the data with them. They have to manipulate the data and determine the score. We only receive that data and show it to the customers. We do not do any alteration or change.
Laura: [03:28] Or algorithms or anything like that.
Chris: [03:28] No.
Laura: [03:28] Okay, one thing I wanted to ask you, like you mention it's on our system for forty eight hours, but I just want our listeners to know, us as users, you as a CTO of our company, can you access that information yourself?
Chris: [03:44] No, the user has to be logged in and the way that the data is encrypted only the user who is logged into the system with the correct user account can decrypt that data. Meaning, the only way I would get access to a user's personal credit report is if they were to share their login information with me and I log in as that user. Other than that the data is stored in such a way that for everybody else who tries to view that it'll just be a bunch of garbage basically.
Laura: [04:15] Okay, so basically the user has his own personal login details and through that they can access it, but we as members of My Credit Status we cannot access that information at all unless like you say they share it with us.
Chris: [04:29] Yes, unless they personally share that with us the data is not viewable or accessible to us. We can only see the encrypted data, which doesn't show you anything about the personal data that is being stored.
Laura: [04:42] Okay, that's really good to know. Now, as we mentioned we have got our reseller license so just over a year ago we were registered with the National Credit Regulator. Now the NCR, which is the short form for National Credit Regulator, regulates the national credit act and it basically regulates the South African credit industry. So we've got our license through the national credit regulator. Now, in order to acquire this license what were the processes required from us in order to be granted the reseller credit bureau license?
Chris: [05:16] Well, NCR is quite strict when it comes to the protection of personal information and data and we had to undergo several audit and security checks, site and survey inspections, and so on to be allowed to provide the data to our customers. They are basically looking at secure service to make sure that we have access control to the data centre, to the data itself. That we have disaster recovery plans in place should anything go wrong that we are able to be back up and running and continue providing the service, and also they are very strict about the fact that as we mentioned, we do not store the report on our service for longer than forty eight hours. We are actually allowed to store it for seventy two hours, but just from a safety perspective we are only keeping it for forty eight.
Laura: [06:05] Okay, so there were a lot of systems and checks in place before we were granted this license, is that correct?
Chris: [06:12] Correct, yes.
Laura: [06:15] Yes, well that's good to know as well. Now, in order for us to maintain our license, what are the ongoing requirements and procedures?
Chris: [06:25] Well, apart from us having to renew the registration yearly and to pay the yearly usage and maintenance fees and so on, we have to undergo quarterly compliance meetings with our compliance offices. And we also have an external auditing firm that needs to audit the policies, processes, systems that we have in place on a yearly basis. All of those are being sent to the NCR for review and that means that they will make sure that we comply with the current regulations, and also as soon as there are new regulations or changes to the law, we will have to comply with those.
Laura: [07:07] Okay, so basically applying and being granted a license was the one process, the other process is to actually constantly maintain and have these audits that happen every month.
Chris: [07:17] Well, the main audit is yearly but we have quarterly reviews of all the information where we report back to them.
Laura: [07:28] Okay and also at My Credit Status we have employed, as you mentioned, an external company that actually does make sure that we comply with these regulations on our behalf.
Chris: [07:40] Yes, that's correct. We actually have two external companies. One is the auditor, the other is the compliance officer and both of them are specialists in their field so I feel that we are good hands there.
Laura: [07:51] That's correct. Can you walk us through quickly through the security process once a consumer has entered their personal details online when they're applying for their credit report?
Chris: [08:05] Okay, the first thing we do is to validate the user's email address since that'll be our primary form of communication with them to be able to offer the services at scale. Once they have confirmed their email, they can choose which report they want, whether they want their score, a full report, or if they want a monthly report. However, before we provide the user with any of their personal financial data, with the actual credit report, we will first perform a person verification test where we check their identity using the data that we received in the report, and only they will have knowledge about. If they are able to answer those questions correctly they will gain access to the report and they'll be able to download and view it. However, if they fail the test, if they do not pass and if they make mistakes or whatever the case may be, they still have the option to prove their identity by sending us a copy of their ID along with a proof of address, and if those match the report and the account that we have in file we can manually validate the user and still give them access to their data.
Laura: [09:11] Well, in this whole process of validating we still cannot access any information of our client.
Chris: [09:22] No, we still cannot access the data from the client.
Laura: [09:25] So we can manually validate, but that's about it and like you mention these documents that might be required, but over and above that there's nothing else that we can access at this stage.
Chris: [09:35] No, the manual validation is basically, and also for the auditors for compliance reasons, if we do receive a manual validation we have to create a log entry for the user, the date, the ID number. We have to save the proof of ID and proof of address that we keep on record and we are being audited on that. The only difference on the actual system on My Credit Status itself is we basically see a flag, whether that user passed or failed the person verification test. If the user failed the test they won't have access to anything. The only change we can make when we do a manual validation is we enter their ID number and we tell them the person did pass the manual validation so they will now have access, but we still do not see any or have access to any of their own data. It's only that now the data can be released to the customer.
Laura: [10:31] Okay, so for example, if someone is trying to get a credit report on behalf of a third party fraudulently, they would still need to know personal information of that person that they want the credit report on.
Chris: [10:46] Correct, yes.
Laura: [10:46] I can't try and get my, as an example, my sister's credit report information, unless I have certain personal information with regards whether it's her banking account or various other retail accounts in order to access it, is that correct?
Chris: [11:00] Yes, you would have to know the person quite intimately to be able to pass the online person verification test because the questions are random. It can be related to banking, to where you shop, to which accounts or cards you have, vehicle, finance, home loans, all of that. It can be any of those categories and unless you know exactly what that person's financial history looks like you won't be able to answer those questions and gain access.
Laura: [11:29] Okay, yes, that's very important and like you say they're random questions that come up so if a person enters their own personal details they cannot assume those random questions will appear for the third party that they're trying to access.
Chris: [11:42] No. Also if they try now and they can't answer the questions they do get a second attempt, but it will be random questions again so the questions are dynamically generated. You can't say, okay, this is the first question and the next question will be about banking, the next one about a retail account. Everything is dynamically and randomly generated when the user has to be validated.
Laura: [12:10] Okay, that's really good. The other thing is, what kind of support does My Credit Status offer, online support?
Chris: [12:20] Our main form of support is email support where we have an email ticket system. It just makes it easier to escalate and to assign to the correct person, whether it be about refunds, about manual validations or just general questions. Then we also provide a phone number which is an interactive support system where the user will basically enter their ID number and they will choose between several options until they get to the desired answer. From that they can do anything from changing their password, not actually changing it, but requesting a password reset and also to have questions that they might have, answered.
Laura: [13:09] Okay and this is obviously on twenty four hours a day, available twenty four hours a day.
Chris: [13:15] Correct, yes. The support tickets are basically answered during working hours, but the phone support is twenty four hours.
Laura: [13:21] Okay, that's fantastic. Now, are there any other new developments that will be taken place at My Credit Status that you can share with our audience?
Chris: [13:30] Well, we're always looking to improve the services that we offer, but, currently unfortunately I cannot elaborate too much, but I can say we will be looking at ways to personalise the entire onboarding experience and we'll also be offering much more tailored solutions to our customers in future.
Laura: [13:46] Correct, so we're constantly striving to actually improve the service that we're offering so it's not just a normal credit report, there's more benefits that you will receive.
Chris: [13:55] Yes, definitely.
Laura: [13:57] Okay, Chris, I must say it's been a real privilege to have you on our show and to our audience, thanks for listening. Be sure to visit My Credit Status, and now that you know more about how our systems are in place to protect your personal details head over to mycreditstatus.co.za and get yourself a copy of your credit report. Chris, thank you very much.
Chris: [14:19] It's a pleasure Laura. Thank you very much.
Laura: [14:21] Okay.
[14:21] Thank you for listening to My Credit Status podcast. Make sure you tune into our next show where we will continue to provide you with valuable information about your credit health. We value your feedback, so we would love it if you can rate and review us on iTunes. Don't forget to subscribe to this podcast so that you can be alerted as soon as a new episode is live. Visit my creditstatus.co.za.